A few months ago we discussed the various ways that consumer PII is compromised. The recent attacks against Target and Neiman Marcus illustrate the constant threat that payment card accepting retailers of all sizes face. Yesterday Reuters reported that similar breaches over the holidays affected “at least three other well-known U.S. retailers”. Given the current onslaught, it’s a good time for retailers to examine their detection capabilities before a payment card data attack, while creating new goals for shortening remediation windows during and after an attack.

The Managers’ Bottom Line

Payment card track data (the data stored on track 1 and track 2 of a card’s magnetic strip, also known as “dumps” in criminal parlance) continues to experience increased demand in the criminal Underground (primarily demonstrated in criminal web forums). For well over a decade, criminals have been leveraging globalization and the Internet to create a pipeline that transforms stolen payment card track data into physical spurious credit cards that are used for fraudulent in store purchases. Consumers’ payment card track data with or without PIN is one of the most sought after criminal commodities in the online marketplace. Short of identity theft and tax refund fraud, physical credit card fraud is the quickest way to become a criminal millionaire. Additionally, the United States remains one of the few first world countries still prolifically using magnetic stripe payment cards which means American companies are the extremely lucrative low hanging fruit. Last, the attacks on point of sale (POS) terminals and payment card networks are the most efficient way for criminals to steal track data and (often) associated PINs in bulk.

The past ten years is littered with stories of POS compromises affecting government agencies and businesses in almost every vertical including hotels, restaurants, retailers, etc. Many of the most egregious data breaches are never publicly disclosed, the only externality is an unexpected new payment card in the mail. The threat is real and it will continue unabated until the technological barriers to entry are raised significantly.

To substantially mitigate the risk of future POS compromise, businesses should look at hardware encryption devices at the point of sale. The payment card data attacks on Target and other retailers are possible because the POS payment solution includes third party software installed on a computer/terminal. The problem is that the payment card data is susceptible to interception in memory before the encryption process and transmission across the network.

If POS hardware encryption remains an unjustifiable business expense, companies should re-examine security policies to ensure that payment card data is included in the critical data category. This is data that must receive a logical and operational moat to ensure absolute detection of unauthorized access and irregular movement. There are too many ways to initially compromise the network; rather it is the internal critical data that must be identified, segmented, and monitored.

The Network Security Monitors’ Operational Insight

As a network defender imagine for a second that you are tasked with a penetration test of an enterprise business with the specific mandate to obtain as much payment card track data as possible while avoiding detection. How would you do it?

If the last decade of POS attacks is any indication, while clever, you’re over complicating the process. Gaining access to the corporate network is trivial. Spin the wheel of unauthorized access channels: for bonus speed points, buy a compromised host in the network from a bot herder, craft a reasonable Phish, or use a remote vulnerability in the content management system (CMS) of the marketing department’s most visited web destination for iframe redirection to your Metasploit server.

In any enterprise network, focusing exclusively on intrusion prevention is a lost cause. So assuming the attacker is already in the network their next step is locating the payment card data. While network enumeration and credential brute forcing /privilege escalation is often noisy, to make this simple let’s also assume that the attacker is pre-equipped with the payment processing network segment location and the requisite credentials to access it.

If the target is a large retail company the attacker(s) is going to assume that they are a Level 1 PCI compliant merchant. The attacker is going to fetch a pre-compiled suite of tools, probably in the form of a single compressed file. The download may occur over any one of a dozen different application protocols (FTP, HTTPS, RDP, VNC, DNS, etc.) but the attacker is going to use a protocol that has a higher chance of connection success without encountering egress proxy issues. Once the file transfer is complete, the tools will be unpacked and a regular expression (REGEX) search will be initiated to locate the Windows application process responsible for receiving and encrypting the customer’s swiped card payment data. The memory scraper will subsequently intercept payment card data and store it to log files. Since large files tend to attract attention often these log files will rotate after reaching a specific size threshold. Now the log files are ready for batch exfiltration, but first they need to be compressed and possibly encrypted to hopefully attract less attention.

A prepared attacker will include a script to automate this chain of events and scale the attack to all of the POS terminals in the network. If the script fails somewhere along the way, the attacker will make manual modifications, but little intervention is likely required as the attacker already knows the POS manufacturer and model.

Over the past 24 months a number of memory scraper malware families have been gaining notoriety due to their noisy and aggressive installation numbers across the Internet. Dexter, Alina, Trackr, and POSCardStealer are common anti-virus labels for binaries that scan the victim host process list for data matching the payment card track data REGEX.

While these families represent reasonable proof of concepts, they have been impotent in “the wild” as they are usually installed on Windows hosts that are not running POS software. The memory scrapers likely used in the most recent targeted retail attacks are almost certainly custom built or heavily modified from existing code for the specific attack. They have probably never been seen publicly prior to the attacks, so known memory scrapers are marginally useful for future profiling.

The most useful indicator of compromise (IOC) chain to focus on for future detection is the importation of a tool set, a new process running on the POS terminal, and finally the exfiltration of compressed files with uniform size and frequency. Create an operational play (and a playbook if needed) specific to alerting on this chain of events or any specific event that can be effectively tuned to dispel the typical noise. There are plenty of tool sets to accomplish the play and I like Netflow for a holistic picture of the network. In the Netflow space there are many resources, but I like Lancope’s StealthWatch Management Console. They provide a number of pre-installed, well thought out alerts, and it’s simple to create new alerts.

If I’m looking for payment card data exfiltration I could create an alert around repeating byte count patterns above a reasonable threshold and potentially add additional criteria for periodicity.

StealthWatch also includes a rule for “Suspect Data Loss” which alerts on large disparities between the quantity of inbound and outbound packets. Obviously a lot of legitimate traffic falls into this category, not just attacker exfiltration, but as part of the Cisco Cyber Threat Defense Solution, historical flow data on the network is analyzed to create a behavior baseline that in turn alerts on flow sessions that qualify as suspect outliers.

Last, application and process change detection should be in effect on all payment card processing systems. Any change on the end point or multiple end points should be cause for immediate analysis. Also, while most protocols tend to use compression for efficiency and speed gains, the compression tools themselves should be limited to an approved list.

The attacks on payment card data will continue to focus on POS systems, but well thought out detection plays, and/or the implementation of hardware encryption can dramatically help prevent future negative headlines.

Thanks to Martin Lee and Craig Williams for their assistance with this post.

2 Comments.

Nice post, very useful. One comment - it will be a good design to include some process within the application code around the payment card data to detect/monitor/alert in case some external code/process is accessing it.

One problem in your discussion is that attackers have gotten savier in their approach to getting data out by using HTTP with an encrypted data stream. They have also been seen using ports other than 80 and 443 as long as they are open to an external IP address they control. Again, the data is encrypted so that what is leaving cannot be readily identified. As a result, you need to look at large transmissions to anywhere which is where things can get potentially obscured with legitimate traffic.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.